CVE-2021-36779
Host operations allowed in privileged Longhorn managed pods
Severity Score
9.6
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3.
Una vulnerabilidad de falta de autenticación para funciones críticas en SUSE Longhorn permite que cualquier carga de trabajo en el clúster ejecute cualquier binario presente en la imagen del host sin autenticación. Este problema afecta a: Las versiones de SUSE Longhorn anteriores a la 1.1.3; las versiones de Longhorn anteriores a la 1.2.3
*Credits:
Dagan Henderson and Will Kline
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-07-19 CVE Reserved
- 2021-12-17 CVE Published
- 2024-09-01 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-306: Missing Authentication for Critical Function
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.suse.com/show_bug.cgi?id=1191818 | 2023-02-10 | |
| https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx | 2023-02-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linuxfoundation Search vendor "Linuxfoundation" | Longhorn Search vendor "Linuxfoundation" for product "Longhorn" | < 1.1.3 Search vendor "Linuxfoundation" for product "Longhorn" and version " < 1.1.3" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Longhorn Search vendor "Linuxfoundation" for product "Longhorn" | >= 1.2.0 < 1.2.3 Search vendor "Linuxfoundation" for product "Longhorn" and version " >= 1.2.0 < 1.2.3" | - |
Affected
| ||||||